Bernie White
GitHub
Родитель
3a83604414
Коммит
8446428a2f
|
|
@ -0,0 +1,32 @@
|
|||
|
||||
# Synopsis: Use short rule names
|
||||
Rule 'Rule.Name' -Type 'PSRule.Rules.Rule' {
|
||||
Recommend 'Rule name should be less than 35 characters to prevent being truncated.'
|
||||
Reason "The rule name is too long."
|
||||
$TargetObject.RuleName.Length -le 35
|
||||
$TargetObject.RuleName.StartsWith('Kubernetes.')
|
||||
}
|
||||
|
||||
# Synopsis: Complete help documentation
|
||||
Rule 'Rule.Help' -Type 'PSRule.Rules.Rule' {
|
||||
$Assert.HasFieldValue($TargetObject, 'Info.Synopsis')
|
||||
$Assert.HasFieldValue($TargetObject, 'Info.Description')
|
||||
$Assert.HasFieldValue($TargetObject, 'Info.Recommendation')
|
||||
}
|
||||
|
||||
# Synopsis: Rules must flag if the Kubernetes feature is core or AKS
|
||||
Rule 'Rule.Tags' -Type 'PSRule.Rules.Rule' {
|
||||
Recommend 'Add a group tag to the rule.'
|
||||
$TargetObject.Tag.ToHashtable() | Within 'group' 'core', 'AKS' -CaseSensitive
|
||||
}
|
||||
|
||||
# Synopsis: Use severity and category annotations
|
||||
Rule 'Rule.Annotations' -Type 'PSRule.Rules.Rule' {
|
||||
$Assert.HasFieldValue($TargetObject, 'Info.Annotations.severity')
|
||||
$Assert.HasFieldValue($TargetObject, 'Info.Annotations.category')
|
||||
}
|
||||
|
||||
# Synopsis: Use online help
|
||||
Rule 'Rule.OnlineHelp' -Type 'PSRule.Rules.Rule' {
|
||||
$Assert.HasFieldValue($TargetObject, 'Info.Annotations.''online version''')
|
||||
}
|
||||
|
|
@ -6,7 +6,7 @@
|
|||
{
|
||||
"label": "test",
|
||||
"type": "shell",
|
||||
"command": "Invoke-Build Test",
|
||||
"command": "Invoke-Build Test -AssertStyle Client",
|
||||
"group": {
|
||||
"kind": "test",
|
||||
"isDefault": true
|
||||
|
|
|
|||
|
|
@ -2,6 +2,8 @@
|
|||
|
||||
## Unreleased
|
||||
|
||||
- Updated documentation to use parent culture `en`. [#30](https://github.com/BernieWhite/PSRule.Rules.Kubernetes/issues/30)
|
||||
|
||||
## v0.1.0-B2001007 (pre-release)
|
||||
|
||||
- **Breaking change**: Updated and renamed baselines make them easier to use. [#27](https://github.com/BernieWhite/PSRule.Rules.Kubernetes/issues/27)
|
||||
|
|
|
|||
|
|
@ -8,7 +8,8 @@ A suite of rules to validate Kubernetes resources using PSRule.
|
|||
|
||||
This project is to be considered a **proof-of-concept** and **not a supported product**.
|
||||
|
||||
For issues with rules and documentation please check our GitHub [issues](https://github.com/BernieWhite/PSRule.Rules.Kubernetes/issues) page. If you do not see your problem captured, please file a new issue and follow the provided template.
|
||||
For issues with rules and documentation please check our GitHub [issues](https://github.com/BernieWhite/PSRule.Rules.Kubernetes/issues) page.
|
||||
If you do not see your problem captured, please file a new issue and follow the provided template.
|
||||
|
||||
If you have any problems with the [PSRule][project] engine, please check the project GitHub [issues](https://github.com/Microsoft/PSRule/issues) page instead.
|
||||
|
||||
|
|
@ -32,7 +33,8 @@ PSRule for Kubernetes provides two methods for analyzing Kubernetes resources:
|
|||
### Offline with a manifest
|
||||
|
||||
Kubernetes resources can be validated within a YAML manifest file.
|
||||
To validate Kubernetes resources use the `Invoke-PSRule` cmdlet. PSRule natively supports reading objects from YAML files using the `-InputPath` parameter.
|
||||
To validate Kubernetes resources use the `Invoke-PSRule` cmdlet.
|
||||
PSRule natively supports reading objects from YAML files using the `-InputPath` parameter.
|
||||
The `-InputPath` parameter can be abbreviated to `-f`.
|
||||
|
||||
For example:
|
||||
|
|
@ -154,7 +156,7 @@ Kubernetes.Pod.Replicas 0 2 Fail
|
|||
|
||||
For a list of rules included in the `PSRule.Rules.Kubernetes` module see:
|
||||
|
||||
- [Module rule reference](docs/rules/en-US/module.md)
|
||||
- [Module rule reference](docs/rules/en/module.md)
|
||||
|
||||
## Changes and versioning
|
||||
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ Document 'RuleHelp' {
|
|||
}
|
||||
|
||||
if (!$annotations.Contains('online version')) {
|
||||
$annotations['online version'] = "https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/$($rule.Name).md";
|
||||
$annotations['online version'] = "https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en/$($rule.Name).md";
|
||||
}
|
||||
|
||||
Metadata $annotations;
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
severity: Critical
|
||||
category: Security
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.AKS.PublicLB.md
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en/Kubernetes.AKS.PublicLB.md
|
||||
---
|
||||
|
||||
# Use internal load balancer
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
severity: Important
|
||||
category: API
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.API.Removal.md
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en/Kubernetes.API.Removal.md
|
||||
---
|
||||
|
||||
# Use supported APIs
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
severity: Awareness
|
||||
category: Management
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Metadata.md
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en/Kubernetes.Metadata.md
|
||||
---
|
||||
|
||||
# Use recommended labels
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
severity: Important
|
||||
category: Reliability
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Health.md
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en/Kubernetes.Pod.Health.md
|
||||
---
|
||||
|
||||
# Use probes
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
severity: Important
|
||||
category: Security
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Latest.md
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en/Kubernetes.Pod.Latest.md
|
||||
---
|
||||
|
||||
# Use specific tags
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
severity: Critical
|
||||
category: Security
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.PriviledgeEscalation.md
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en/Kubernetes.Pod.PriviledgeEscalation.md
|
||||
---
|
||||
|
||||
# Deny privilege escalation
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
severity: Important
|
||||
category: Reliability
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Replicas.md
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en/Kubernetes.Pod.Replicas.md
|
||||
---
|
||||
|
||||
# Use two or more replicas
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
severity: Important
|
||||
category: Performance
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Resources.md
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en/Kubernetes.Pod.Resources.md
|
||||
---
|
||||
|
||||
# Set compute resource requirements
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
severity: Critical
|
||||
category: Security
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Secrets.md
|
||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en/Kubernetes.Pod.Secrets.md
|
||||
---
|
||||
|
||||
# Use secret references
|
||||
|
|
@ -14,7 +14,10 @@ param (
|
|||
[Switch]$CodeCoverage = $False,
|
||||
|
||||
[Parameter(Mandatory = $False)]
|
||||
[String]$ArtifactPath = (Join-Path -Path $PWD -ChildPath out/modules)
|
||||
[String]$ArtifactPath = (Join-Path -Path $PWD -ChildPath out/modules),
|
||||
|
||||
[Parameter(Mandatory = $False)]
|
||||
[String]$AssertStyle = 'AzurePipelines'
|
||||
)
|
||||
|
||||
Write-Host -Object "[Pipeline] -- PWD: $PWD" -ForegroundColor Green;
|
||||
|
|
@ -100,7 +103,7 @@ task VersionModule ModuleDependencies, {
|
|||
$manifest = Test-ModuleManifest -Path $manifestPath;
|
||||
$requiredModules = $manifest.RequiredModules | ForEach-Object -Process {
|
||||
if ($_.Name -eq 'PSRule' -and $Configuration -eq 'Release') {
|
||||
@{ ModuleName = 'PSRule'; ModuleVersion = '0.12.0' }
|
||||
@{ ModuleName = 'PSRule'; ModuleVersion = '0.13.0' }
|
||||
}
|
||||
else {
|
||||
@{ ModuleName = $_.Name; ModuleVersion = $_.Version }
|
||||
|
|
@ -150,8 +153,8 @@ task PSScriptAnalyzer NuGet, {
|
|||
|
||||
# Synopsis: Install PSRule
|
||||
task PSRule NuGet, {
|
||||
if ($Null -eq (Get-InstalledModule -Name PSRule -MinimumVersion 0.12.0 -ErrorAction Ignore)) {
|
||||
Install-Module -Name PSRule -MinimumVersion 0.12.0 -Scope CurrentUser -Force;
|
||||
if ($Null -eq (Get-InstalledModule -Name PSRule -MinimumVersion 0.13.0 -ErrorAction Ignore)) {
|
||||
Install-Module -Name PSRule -MinimumVersion 0.13.0 -Scope CurrentUser -Force;
|
||||
}
|
||||
Import-Module -Name PSRule -Verbose:$False;
|
||||
}
|
||||
|
|
@ -183,7 +186,7 @@ task CopyModule {
|
|||
# Synopsis: Build modules only
|
||||
task BuildModule CopyModule
|
||||
|
||||
task TestRules PSRule, Pester, PSScriptAnalyzer, {
|
||||
task TestModule PSRule, Pester, PSScriptAnalyzer, {
|
||||
# Run Pester tests
|
||||
$pesterParams = @{ Path = $PWD; OutputFile = 'reports/pester-unit.xml'; OutputFormat = 'NUnitXml'; PesterOption = @{ IncludeVSCodeMarker = $True }; PassThru = $True; };
|
||||
|
||||
|
|
@ -207,6 +210,21 @@ task TestRules PSRule, Pester, PSScriptAnalyzer, {
|
|||
}
|
||||
}
|
||||
|
||||
# Synopsis: Run validation
|
||||
task Rules PSRule, {
|
||||
$assertParams = @{
|
||||
Path = './.ps-rule/'
|
||||
Style = $AssertStyle
|
||||
OutputFormat = 'NUnit3';
|
||||
}
|
||||
Import-Module (Join-Path -Path $PWD -ChildPath out/modules/PSRule.Rules.Kubernetes) -Force;
|
||||
# Get-RepoRuleData -Path $PWD |
|
||||
# Assert-PSRule @assertParams -OutputPath reports/ps-rule-file.xml;
|
||||
|
||||
$rules = Get-PSRule -Module PSRule.Rules.Kubernetes;
|
||||
$rules | Assert-PSRule @assertParams -OutputPath reports/ps-rule-file2.xml;
|
||||
}
|
||||
|
||||
# Synopsis: Run script analyzer
|
||||
task Analyze Build, PSScriptAnalyzer, {
|
||||
Invoke-ScriptAnalyzer -Path out/modules/PSRule.Rules.Kubernetes;
|
||||
|
|
@ -216,39 +234,21 @@ task Analyze Build, PSScriptAnalyzer, {
|
|||
task BuildRuleDocs Build, PSRule, PSDocs, {
|
||||
Import-Module (Join-Path -Path $PWD -ChildPath out/modules/PSRule.Rules.Kubernetes) -Force;
|
||||
$Null = Invoke-PSDocument -Name module -OutputPath .\docs\rules\en-US\ -Path .\RuleToc.Doc.ps1;
|
||||
# $rules = Get-PSRule -Module 'PSRule.Rules.Kubernetes';
|
||||
# $rules | ForEach-Object -Process {
|
||||
# Invoke-PSDocument -Path .\RuleHelp.Doc.ps1 -OutputPath .\docs\rules\en-US\ -InstanceName $_.Info.Name -inputObject $_;
|
||||
# }
|
||||
}
|
||||
|
||||
# Synopsis: Build help
|
||||
task BuildHelp BuildModule, PlatyPS, {
|
||||
# Generate MAML and about topics
|
||||
# $Null = New-ExternalHelp -OutputPath out/docs/PSRule.Rules.Kubernetes -Path '.\docs\commands\PSRule.Rules.Kubernetes\en-US' -Force;
|
||||
|
||||
if (!(Test-Path out/modules/PSRule.Rules.Kubernetes/en-US/)) {
|
||||
New-Item -Path out/modules/PSRule.Rules.Kubernetes/en-US/ -ItemType Directory -Force;
|
||||
}
|
||||
if (!(Test-Path out/modules/PSRule.Rules.Kubernetes/en-AU/)) {
|
||||
New-Item -Path out/modules/PSRule.Rules.Kubernetes/en-AU/ -ItemType Directory -Force;
|
||||
}
|
||||
if (!(Test-Path out/modules/PSRule.Rules.Kubernetes/en-GB/)) {
|
||||
New-Item -Path out/modules/PSRule.Rules.Kubernetes/en-GB/ -ItemType Directory -Force;
|
||||
if (!(Test-Path out/modules/PSRule.Rules.Kubernetes/en/)) {
|
||||
$Null = New-Item -Path out/modules/PSRule.Rules.Kubernetes/en/ -ItemType Directory -Force;
|
||||
}
|
||||
|
||||
# Copy generated help into module out path
|
||||
# $Null = Copy-Item -Path out/docs/PSRule.Rules.Kubernetes/* -Destination out/modules/PSRule.Rules.Kubernetes/en-US/ -Recurse;
|
||||
# $Null = Copy-Item -Path out/docs/PSRule.Rules.Kubernetes/* -Destination out/modules/PSRule.Rules.Kubernetes/en-AU/ -Recurse;
|
||||
# $Null = Copy-Item -Path out/docs/PSRule.Rules.Kubernetes/* -Destination out/modules/PSRule.Rules.Kubernetes/en-GB/ -Recurse;
|
||||
$Null = Copy-Item -Path docs/rules/en-US/*.md -Destination out/modules/PSRule.Rules.Kubernetes/en-US/;
|
||||
$Null = Copy-Item -Path docs/rules/en-US/*.md -Destination out/modules/PSRule.Rules.Kubernetes/en-AU/;
|
||||
$Null = Copy-Item -Path docs/rules/en-US/*.md -Destination out/modules/PSRule.Rules.Kubernetes/en-GB/;
|
||||
$Null = Copy-Item -Path docs/rules/en/*.md -Destination out/modules/PSRule.Rules.Kubernetes/en/;
|
||||
}
|
||||
|
||||
task ScaffoldHelp Build, BuildRuleDocs, {
|
||||
Import-Module (Join-Path -Path $PWD -ChildPath out/modules/PSRule.Rules.Kubernetes) -Force;
|
||||
Update-MarkdownHelp -Path '.\docs\commands\PSRule.Rules.Kubernetes\en-US';
|
||||
# Import-Module (Join-Path -Path $PWD -ChildPath out/modules/PSRule.Rules.Kubernetes) -Force;
|
||||
# Update-MarkdownHelp -Path '.\docs\commands\PSRule.Rules.Kubernetes\en-US';
|
||||
}
|
||||
|
||||
# Synopsis: Add shipit build tag
|
||||
|
|
@ -265,7 +265,7 @@ task Clean {
|
|||
|
||||
task Build Clean, BuildModule, VersionModule, BuildHelp
|
||||
|
||||
task Test Build, TestRules
|
||||
task Test Build, Rules, TestModule
|
||||
|
||||
task Release ReleaseModule, TagBuild
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
# PSRule options for QA
|
||||
|
||||
binding:
|
||||
targetName:
|
||||
- RuleName
|
||||
- FullName
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
@{
|
||||
PodCPURequest = 'Set CPU resource reservation.'
|
||||
PodCPULimit = 'Set CPU resource limit.'
|
||||
PodMemRequest = 'Set memory resource reservation.'
|
||||
PodMemLimit = 'Set memory resource limit.'
|
||||
RecommendLabel = 'Recommend label ''{0}'' is not set.'
|
||||
LivenessProbe = 'Liveness probe not configured for ''{0}'''
|
||||
ReadinessProbe = 'Readiness probe not configured for ''{0}'''
|
||||
}
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
@{
|
||||
PodCPURequest = 'Set CPU resource reservation.'
|
||||
PodCPULimit = 'Set CPU resource limit.'
|
||||
PodMemRequest = 'Set memory resource reservation.'
|
||||
PodMemLimit = 'Set memory resource limit.'
|
||||
RecommendLabel = 'Recommend label ''{0}'' is not set.'
|
||||
LivenessProbe = 'Liveness probe not configured for ''{0}'''
|
||||
ReadinessProbe = 'Readiness probe not configured for ''{0}'''
|
||||
}
|
||||
Загрузка…
Ссылка в новой задаче